Rewterz Threat Alert – A New Cybercrime Gang, UNC2529, Targets Several Countries Including the U.S. – Active IOCs

Severity

Medium

Analysis Summary

The financially motivated threat gang, referred to as UNC2529, is targeting many organizations in the US and other countries. The group shows professional and experienced coding of their malware and custom lures.

Although two distinct attacks took place at the end of 2020, three new malware families have been employed by the group. The malware is tracked as:

• DOUBLEDRAG
• DOUBLEDROP
• DOUBLEBACK

The phishing messages include links to a malicious website that serves the malware. The targeted organizations are mainly in the business sector, healthcare sector, retail sector, and engineering and manufacturing. In some attacks, weaponized Excel documents are used as a downloader.

The attackers used extensive use of fileless malware and obfuscation to evade detection and the backdoors employed in the attacks are very sophisticated.

“UNC2529 is assessed as capable, professional, and well resourced. The identified wide-ranging targets, across geography and industry, suggests a financial crime motive.” concludes the report which also included indicators of compromise and other technical indicators for the attacks.”

Impact

• Phishing
• Data Breach

Indicators of Compromise

MD5

• 4b32115487b4734f2723d461856af155
• 9e3f7e6697843075de537a8ba83da541
• cc17e0a3a15da6a83b06b425ed79d84c
• 1aeecb2827babb42468d8257aa6afdeb
• 1bdf780ea6ff3abee41fe9f48d355592
• 1f285e496096168fbed415e6496a172f
• 6a3a0d3d239f04ffd0666b522b8fcbaa
• ce02ef6efe6171cd5d1b4477e40a3989
• fa9e686b811a1d921623947b8fd56337

SHA-256

• c388f1fd17f0d2be18ce7f294beccb82cc805a38baab2ebcdf5aff83493b34d9
• ce5e4aaab3c22305c52637e3ebfdc851dda3e60f263cb03ccfe5cdca4c18e9e9
• 1e577b21c6c1c89530dd838961b128a25ea1507f870e03f4406b12f46d99da88
• 86158e1c5d4130a73b9cec9b20858b42a6345fc0267bf099ee431792c897799d
• d5aaec63bf670d653a1e3a79436f73b29e6be88cb65c78db8778b2dd14db8853
• 99a0c3a57918273a370a2e9af1dc967e92846821c2198fcdddfc732f8cd15ae1
• 2989581e8a8e3a756ec9af84ff6692526e440349c668e8636e3d10d452995c95
• b3c94fdf4cf16a7d16484976cf8a4abac6d967a7ce8fa4fe9bde3da6d847792f
• f58a4f2b319297a256f6b2d77237804c15323dd5e72a0e3a4bfc27cdd0bb0b86
• 9d20722758c3f1a01a70ffddf91553b7a380b46b3690d11d8ba4ba3afe75ade0
• 8eada491e7fbd8285407897b678b1a3d480c416244db821cfaca0f27ab27901a
• 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA1

• f5807c2946093cc274d20950e3ed9cab10af4e16
• 7c71fcd437cca4c3653f3dad39067bb87abbcf5e
• 51e4a4e6f64fedc7a20921ee578f83be50b0831c
• 653f6938e5521cf70596fc4a3f1d8c8eef21959a
• 90177c060567990e289f746cd126975b9102d675
• 04d6674dbb0b863f0cd963900afce9826c2a488f
• 8306820209e008945315b4e5efd01ba597e4ee0e
• d39142655510cc61f17994489ee9de162bec772a
• 6fd0a05f1273f1a5cb79872c452266b5788fc0f3

URL

• http[:]//p-leh[.]com/update_java[.]dat
• http[:]//clanvisits[.]com/mini[.]dat
• https[:]//towncentrehotels[.]com/ps1[.]dat
• https[:]//klikbets[.]net/admin/client[.]php
• https[:]//lasartoria[.]net/admin/client[.]php
• https[:]//barrel1999[.]com/admin4/client[.]php
• https[:]//widestaticsinfo[.]com/admin4/client[.]php
• https[:]//secureinternet20[.]com/admin5/client[.]php
• https[:]//adsinfocoast[.]com/admin5/client[.]php

Remediation

• Download the latest patches.
• Practice strong security habits and be wary of suspicious emails.
• Install and update antivirus and malware protection software.